Over 40 models of low-cost Android smartphones are sold already infected with the Triada banking trojan, says Dr.Web, a Russia-based antivirus vendor.
The security vendor published today a list of 42 Android models its researchers analyzed and found to be infected with the Android.Triada.231 trojan.
Triada is a very powerful Android banking trojan discovered in early 2016. It can root devices and then infect Zygote, a core Android operating system process, where it's almost impossible to remove without wiping the entire device and reinstalling the OS.
Dr.Web says it found the trojan on newly shipped devices from lesser-known brands —mostly based in China— such as Leagoo, Doogee. Vertex, Advan, Cherry Mobile, and others.
"The malware is present in the devices which are sold not only in Russia but globally," a Dr.Web spokesperson told Bleeping Computer earlier today via email. "For instance, in Poland, Indonesia, China, the Checz Republic, Mexico, Kazakhstan, [and] Serbia."
Dr.Web's recent discovery isn't new, but it's a continuation of previous research. Back in July 2017, researchers found the same Triada trojan on four low-cost Android smartphone models —Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.
Researchers continued to look into the matter and eventually discovered 42 smartphone models that were coming with malware pre-installed out of the box.
Experts say that their discovery over the summer didn't deter whoever was behind this action to stop. For example, they found Triada pre-installed on Leagoo M9 phones, a model launched in December 2017.
The antivirus vendor says it contacted all affected vendors, believing one of their shared resellers was injecting the trojan before shipping devices forward.
Instead, researchers figured out that a software developer from Shanghai was most likely the source of the Triada infection.
"This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation," researchers say. "Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles."
Researchers say this Triada-infected application developed by the Shanghai company was signed with the same certificate that was seen in another malware infection, in November 2016 —an Android app with over 1 million downloads on the Google Play Store that was infecting users with the Android.MulDrop adware.
In the end, this is just another case when users suffer the consequences of companies that fail to validate their software supply chain.
The list of Android smartphone models that Dr.Web found infected with the Triada trojan right out of the box is below:
Leagoo M5 Plus
Leagoo M5 Edge
Leagoo M8 Pro
Leagoo T1 Plus
ARK Benefit M8
Zopo Speed 7 Plus
Doogee X5 Max
Doogee X5 Max Pro
Doogee Shoot 1
Doogee Shoot 2
Kiano Elegance 5.1
iLife Fivo Lite
Vertex Impress InTouch 4G
Vertex Impress Genius
myPhone Hammer Energy
Advan S5E NXT
STF AERIAL PLUS
STF JOY PRO
Cherry Mobile Flare S5
Cherry Mobile Flare J2S
Cherry Mobile Flare P1
Pelitt T1 PLUS
Prestigio Grace M5 LTE